Skip to content

Kubernetes Cluster Traffic Management

We provide current two means of managing traffic into a kubernetes cluster:

  • NGINX Ingress when you need simple, Kubernetes-native routing of web traffic into services;
  • Cilium Gateway API which offers full API lifecycle management, security, and governance.
Feature Ingress API Gateway
Routing Host/path-based HTTP routing Advanced routing, multi-protocol (HTTP, gRPC, WebSockets)
TLS Termination
Auth (OIDC, JWT, API Keys) ❌ Limited (via annotations/plugins) ✅ Built-in
Rate Limiting / Quotas ❌ Not native ✅ Core feature
Observability Basic (via logs/metrics) Detailed API analytics
Kubernetes-native Sometimes (can be external)
Best for Simple cluster ingress Full API management and security

Examples

Gateway API

In the following example we illustrate how to create a Gateway and corresponding HTTP routes, with HTTP redirecting to HTTPS. We create the Gateway cilium-gateway which makes use of the GatewayClass cilium.

---
# Namespace for our application
apiVersion: v1
kind: Namespace
metadata:
  name: cilium-gateway-demo

---
# Sample application deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-app
  namespace: cilium-gateway-demo
spec:
  replicas: 3
  selector:
    matchLabels:
      app: demo-app
  template:
    metadata:
      labels:
        app: demo-app
        version: v1
    spec:
      containers:
      - name: demo-app
        image: nginx:1.25
        ports:
        - containerPort: 80
        volumeMounts:
        - name: html-content
          mountPath: /usr/share/nginx/html
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 200m
            memory: 256Mi
      volumes:
      - name: html-content
        configMap:
          name: demo-html

---
# ConfigMap with Cilium-themed HTML content
apiVersion: v1
kind: ConfigMap
metadata:
  name: demo-html
  namespace: cilium-gateway-demo
data:
  index.html: |
    <!DOCTYPE html>
    <html>
    <head>
        <title>Cilium Gateway API Demo</title>
        <style>
            body { 
                font-family: Arial, sans-serif; 
                margin: 0; 
                background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
                color: white;
            }
            .container { 
                max-width: 800px; 
                margin: 0 auto; 
                padding: 40px;
                text-align: center;
            }
            .logo { font-size: 3em; margin-bottom: 20px; }
            .feature-box { 
                background: rgba(255,255,255,0.1); 
                padding: 20px; 
                margin: 20px 0; 
                border-radius: 10px; 
                backdrop-filter: blur(10px);
            }
            .success { color: #4CAF50; }
            h1 { margin-bottom: 30px; }
            ul { text-align: left; }
        </style>
    </head>
    <body>
        <div class="container">
            <div class="logo">Safespring</div>
            <h1>Cilium Gateway API with TLS</h1>
            <div class="feature-box">
                <h2 class="success">Successfully Connected!</h2>
                <p>This application is running behind Cilium Gateway with TLS termination.</p>
            </div>
            <div class="feature-box">
                <h3>Cilium Features</h3>
                <ul>
                    <li>eBPF-based networking and security</li>
                    <li>Gateway API implementation</li>
                    <li>Advanced load balancing</li>
                    <li>Network policies and observability</li>
                    <li>High-performance TLS termination</li>
                </ul>
            </div>
        </div>
    </body>
    </html>

---
# Service for the demo application
apiVersion: v1
kind: Service
metadata:
  name: demo-app-service
  namespace: cilium-gateway-demo
  labels:
    app: demo-app
spec:
  selector:
    app: demo-app
  ports:
  - name: http
    port: 80
    targetPort: 80
    protocol: TCP
  type: ClusterIP

ClusterIssuer for Let's Encrypt and Certificate

---
# TLS Certificate using cert-manager
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cilium-demo-tls
  namespace: cilium-gateway-demo
spec:
  secretName: cilium-demo-tls-secret
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
  - cilium-demo.apps.safesdemo.paas.safedc.net

---

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: notvalid@safespring.com
    privateKeySecretRef:
      name: letsencrypt-prod-private-key
    solvers:
    - http01:
        gatewayHTTPRoute:
          parentRefs:
          - name: cilium-gateway
            namespace: cilium-gateway-demo
            kind: Gateway

Cilium Gateway Configuration

---

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: cilium-gateway
  namespace: cilium-gateway-demo
spec:
  gatewayClassName: cilium
  listeners:
  # HTTPS listener
  - name: https
    hostname: "cilium-demo.apps.safesdemo.paas.safedc.net"
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        name: cilium-demo-tls-secret
        namespace: cilium-gateway-demo
    allowedRoutes:
      namespaces:
        from: Same
  # HTTP listener for redirects
  - name: http
    hostname: "cilium-demo.apps.safesdemo.paas.safedc.net"
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: Same

---
# HTTPRoute for HTTPS traffic
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: demo-https-route
  namespace: cilium-gateway-demo
  labels:
    gateway: cilium-gateway
spec:
  parentRefs:
  - name: cilium-gateway
    namespace: cilium-gateway-demo
    sectionName: https
  hostnames:
  - "cilium-demo.apps.safesdemo.paas.safedc.net"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: "/"
    backendRefs:
    - name: demo-app-service
      namespace: cilium-gateway-demo
      port: 80
      weight: 100
    filters:
    - type: ResponseHeaderModifier
      responseHeaderModifier:
        add:
        - name: X-Served-By
          value: "Cilium-Gateway"
        - name: X-Gateway-Class
          value: "cilium"

---
# HTTPRoute for HTTP to HTTPS redirect
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: demo-http-redirect
  namespace: cilium-gateway-demo
spec:
  parentRefs:
  - name: cilium-gateway
    namespace: cilium-gateway-demo
    sectionName: http
  hostnames:
  - "cilium-demo.apps.safesdemo.paas.safedc.net"
  rules:
  - filters:
    - type: RequestRedirect
      requestRedirect:
        scheme: https
        statusCode: 301

NGNIX Ingress

We make use of NGINX demo containers to illustrate NGINX Ingress with a certificate generated using letsencrypt-prod.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: coffee
spec:
  replicas: 2
  selector:
    matchLabels:
      app: coffee
  template:
    metadata:
      labels:
        app: coffee
    spec:
      containers:
      - name: coffee
        image: nginxdemos/nginx-hello:plain-text
        ports:
        - containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: coffee-svc
spec:
  ports:
  - port: 80
    targetPort: 8080
    protocol: TCP
    name: http
  selector:
    app: coffee
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tea
spec:
  replicas: 3
  selector:
    matchLabels:
      app: tea
  template:
    metadata:
      labels:
        app: tea
    spec:
      containers:
      - name: tea
        image: nginxdemos/nginx-hello:plain-text
        ports:
        - containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: tea-svc
  labels:
    app: tea
spec:
  ports:
  - port: 80
    targetPort: 8080
    protocol: TCP
    name: http
  selector:
    app: tea
---

Ingress Configuration

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - cafe.apps.safesdemo.paas.safedc.net
    secretName: cafe-secret
  rules:
  - host: cafe.apps.safesdemo.paas.safedc.net
    http:
      paths:
      - path: /tea
        pathType: Prefix
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      - path: /coffee
        pathType: Prefix
        backend:
          service:
            name: coffee-svc
            port:
              number: 80